Environment Variables and Secrets
Environment variables configure your application at runtime — database URLs, API keys, feature flags, and other settings. Clank passes them to your container when it starts. Secrets are a special type of environment variable that are encrypted at rest and masked in the dashboard.
Adding variables
Section titled “Adding variables”In the dashboard:
- Go to your service’s Environment tab.
- Click Add Variable.
- Enter a key (e.g.,
DATABASE_URL) and value (e.g.,postgres://...). - Toggle Secret if the value is sensitive.
- Save and redeploy for changes to take effect.
Environment variable changes require a redeployment. They are not injected into running containers.
Secrets vs plaintext
Section titled “Secrets vs plaintext”| Plaintext | Secret | |
|---|---|---|
| Visible in dashboard | Yes | Masked (shown as ••••••) |
| Stored in database | Plain text | Encrypted (AES-128 via Fernet) |
| In deployment snapshots | Encrypted | Encrypted |
| In container | Plain text (decrypted at deploy time) | Plain text (decrypted at deploy time) |
Both types are available to your application as regular environment variables. The distinction only affects how they are stored and displayed.
Encryption
Section titled “Encryption”Secrets are encrypted using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256) from the cryptography library. The master key is stored in the control plane’s environment, not in the database.
When a deployment is created, Clank takes a snapshot of all environment variables (both plaintext and decrypted secrets), encrypts the entire snapshot, and stores it with the deployment. This ensures:
- Each deployment has an immutable copy of the env vars it was deployed with.
- Changing env vars after a deploy does not affect running containers.
- Rollbacks restore the exact env vars from the original deployment.
Variable precedence
Section titled “Variable precedence”Variables are set at the service level. There are no project-level or team-level variable overrides. Each service has its own independent set of variables.
If your application reads environment variables from a .env file baked into the Docker image, Clank’s variables take precedence — they are passed directly to the container via Docker’s environment configuration.
Template variables
Section titled “Template variables”When you deploy a template (e.g., WordPress, n8n), Clank pre-populates environment variables with sensible defaults. These include database connection strings, generated passwords, and recommended settings. You can modify them before or after the first deploy.
Common variables
Section titled “Common variables”| Variable | Description | Example |
|---|---|---|
DATABASE_URL | Database connection string | postgres://user:pass@host:5432/db |
REDIS_URL | Redis connection string | redis://localhost:6379/0 |
PORT | Port the app should listen on | 3000 |
NODE_ENV | Node.js environment | production |
SECRET_KEY | Application secret key | (auto-generated) |
Best practices
Section titled “Best practices”- Mark sensitive values as secrets: API keys, passwords, tokens, and connection strings should always be secrets. They are encrypted at rest and hidden in the UI.
- Don’t commit secrets to git: Use Clank’s environment variables instead of
.envfiles in your repository. - Use descriptive key names:
STRIPE_SECRET_KEYis clearer thanKEY1. - Redeploy after changes: Environment variable updates require a redeployment to take effect.
Next steps
Section titled “Next steps”- Deployments — How env var snapshots work with deployments and rollbacks.